If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

That is at least how we have been catching the last few batches of worms (they all leave signs of netbios failures, assuming you don't have wide open permissions across your network, which I would hope you don't).

With a little creative filtering, at least in ISS, you should be able to cut down on the false positives...

/nebulus

EDIT: One other thing...using IDS to control a virus infection is NEVER going to be an effective solution. Always think of it this way, IDS only notifies you AFTER something has happened. Since the worms spread automatically as fast as possible, you will rarely be able to track down infected machines before they spread to other machines. The more effective solution is having AV installed on all desktops that can be automatically or remotely updated as well as AV filters on all incoming email, and blocking ports tcp/135, tcp/139, tcp/445, and udp/137, udp/138, udp/139, should keep the majority of your users safe from worms.

IDS can buy you alot, it is not an all-in-one wonder though..

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

Having a scanner/filter installed on your mail servers is a very good thing, as well. We were able to set a block in just a few minutes against the majority of the SoBig.E items while we got the anti-virus updates out to our network workstations and servers. I can remove the block, now, or fine tune it to be more effective.

Odd how these variations on a theme get you to looking at network protection from different angles every time a new worm shows up.